[EDR Workflows][Osquery] Use newly added action responses data stream (…

…#184209) Follow up to #183892 with a commit that got lost during local rebase.
elastic · May 27, 2024 · efd4887 · efd4887
1 parent dc46dfc
commit efd4887
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/...squery/server/search_strategy/osquery/factory/actions/results/query.action_results.dsl.ts b/...squery/server/search_strategy/osquery/factory/actions/results/query.action_results.dsl.ts
@@ -47,11 +47,11 @@ export const buildActionResultsQuery = ({
 
   let index: string;
   if (useNewDataStream) {
-    index = ACTION_RESPONSES_DATA_STREAM_INDEX;
+    index = `${ACTION_RESPONSES_DATA_STREAM_INDEX}*`;
   } else if (componentTemplateExists) {
-    index = ACTION_RESPONSES_INDEX;
+    index = `${ACTION_RESPONSES_INDEX}*`;
   } else {
-    index = AGENT_ACTIONS_RESULTS_INDEX;
+    index = `${AGENT_ACTIONS_RESULTS_INDEX}*`;
   }
 
   return {

diff --git a/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts b/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts
@@ -40,6 +40,8 @@ export const osquerySearchStrategyProvider = <T extends FactoryQueryTypes>(
         }),
         newDataStreamIndexExists: esClient.asInternalUser.indices.exists({
           index: `${ACTION_RESPONSES_DATA_STREAM_INDEX}*`,
+          allow_no_indices: false,
+          expand_wildcards: 'all',
         }),
       }).pipe(
         mergeMap(({ actionsIndexExists, newDataStreamIndexExists }) => {